My Pulsant
Potential service impact - Microsoft May Windows Updates - authentication failures affecting Domain Controllers
Incident
Report for Pulsant Service
Resolved
This issue has been resolved. Microsoft have released additional updates which correct the defective KB.
Identified
Synopsis:
Within the May Windows Updates released on 10th May 2022 by Microsoft there is an update which addresses two known vulnerabilities (CVE-2022-26931 and CVE-2022-26923). It has come to light that the update causes various issues with authentication protocols. Microsoft have confirmed that service impact is limited to servers running in the Domain Controller role.
Nature of the issue:
Microsoft have advised the following:
After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP)
Impacted Systems:
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 Enterprise ESU
Windows Server 2008 R2 Standard ESU
Windows Server 2008 R2 Datacenter ESU
Windows Server 2008 Service Pack 2
Windows Server 2016
all editions Windows Server, version 20H2
all editions Windows Server 2022
Windows Server 2019
Remediation Advice:
Pulsant would recommend that clients proceed with patching end user devices as normal. Servers not running in the Domain Controller role can also be patched at this time.
For servers running in the Domain Controller role, Pulsant would recommend that clients postpone their normal patching routine for a period of at least 14 days in the expectation that Microsoft will release an emergency update which addresses this issue. However, clients should balance this advice against their own risk posture in relation to the various critical and high vulnerabilities which are covered by the May release, including the following:
CVE-2022-26925
CVE-2022-22713
CVE-2022-29972
Pulsant are currently working with our Cyber Security team to assess how best to approach our normal cycle of automated and manual patching for the May release.
External Links:
https://docs.microsoft.com/en-us/windows/release-health/status-windows-server-2022#2826msgdesc
https://www.bleepingcomputer.com/news/microsoft/microsoft-may-windows-updates-cause-ad-authentication-failures/
https://www.tenable.com/blog/microsofts-may-2022-patch-tuesday-addresses-73-cves-cve-2022-26925
Within the May Windows Updates released on 10th May 2022 by Microsoft there is an update which addresses two known vulnerabilities (CVE-2022-26931 and CVE-2022-26923). It has come to light that the update causes various issues with authentication protocols. Microsoft have confirmed that service impact is limited to servers running in the Domain Controller role.
Nature of the issue:
Microsoft have advised the following:
After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP)
Impacted Systems:
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 Enterprise ESU
Windows Server 2008 R2 Standard ESU
Windows Server 2008 R2 Datacenter ESU
Windows Server 2008 Service Pack 2
Windows Server 2016
all editions Windows Server, version 20H2
all editions Windows Server 2022
Windows Server 2019
Remediation Advice:
Pulsant would recommend that clients proceed with patching end user devices as normal. Servers not running in the Domain Controller role can also be patched at this time.
For servers running in the Domain Controller role, Pulsant would recommend that clients postpone their normal patching routine for a period of at least 14 days in the expectation that Microsoft will release an emergency update which addresses this issue. However, clients should balance this advice against their own risk posture in relation to the various critical and high vulnerabilities which are covered by the May release, including the following:
CVE-2022-26925
CVE-2022-22713
CVE-2022-29972
Pulsant are currently working with our Cyber Security team to assess how best to approach our normal cycle of automated and manual patching for the May release.
External Links:
https://docs.microsoft.com/en-us/windows/release-health/status-windows-server-2022#2826msgdesc
https://www.bleepingcomputer.com/news/microsoft/microsoft-may-windows-updates-cause-ad-authentication-failures/
https://www.tenable.com/blog/microsofts-may-2022-patch-tuesday-addresses-73-cves-cve-2022-26925
This incident affected: Threat Intelligence Alert.